You are here

GDPR Conference – Q+A Responses

During the GDPR Conference on 13th March, we had a huge amount of useful and interesting questions submitted by the delegates who attended. Some of the more specific, complex questions will be answered by the experts, however below are some of the questions we have answered predominantly using content provided on the ICO website.

How do we keep a record of someone asking us to delete all their data?

You are permitted to keep a record of someone who has asked not to be contacted – because if you were then to send them a message asking if they consented to hear from you, you would be in breach of GDPR. Just ensure you keep the list you create (which can be on a platform as basic as excel) secure.

Include who consented, when, how, and what they were told.

I run a small sole trader company. Do I need a Data Protection Officer? I have read figures mentioning exemption for companies employing less than 250.

Under the GDPR, you must appoint a DPO if:

You are a public authority (except for courts acting in their judicial capacity);

Your core activities consist of large scale processing of special categories of data or data relating to criminal convictions and offences.

This applies to both controllers and processors. You can appoint a DPO if you wish, even if you aren’t required to. If you decide to voluntarily appoint a DPO you should be aware that the same requirements of the position and tasks apply had the appointment been mandatory.

Regardless of whether the GDPR obliges you to appoint a DPO, you must ensure that your organisation has sufficient staff and resources to discharge your obligations under the GDPR. However, a DPO can help you operate within the law by advising and helping to monitor compliance. In this way, a DPO can be seen to play a key role in your organisation’s data protection governance structure and to help improve accountability.

If you decide that you don’t need to appoint a DPO, either voluntarily or because you don’t meet the above criteria, it’s a good idea to record this decision to help demonstrate compliance with the accountability principle.

Do we need to ask our current database of contacts whether they want to continue receiving our marketing material?

It depends which ground you have selected as your lawful basis for processing. In some instances legitimate interest would be appropriate, you must tell people in your privacy information that you are relying on legitimate interests, and explain what these interests are. If you are relying on legitimate interests for direct marketing, the right to object is absolute and you must stop processing when someone objects. For other purposes, you must stop unless you can show that your legitimate interests are compelling enough to override the individual’s rights. Read the ICO’s guide to legitmate interest and when it should be used here. https://ico.org.uk/for-organisations/guide-to-the-general-data-protectio...

However, if consent is the most appropriate basis for processing personal data, which the ICO stress is often the case for direct marketing, you will need to gain a clear, positive opt-in action from all the data you hold on induvial to continue to receive marketing from your organisation. You must keep clear records to demonstrate consent and you will need to tell people about their right to withdraw, and offer them easy ways to withdraw consent at any time. If they don’t reply this should be considered as them saying they do no longer wish to receive information from you and they should be removed from your database.

Where we already have consent do we need to get consent again under GDPR if the old consent would no longer be acceptable?

You need to review existing consents and your consent mechanisms to check they meet the GDPR standard. If they do, there is no need to obtain fresh consent.

Is a corporate email address personal data?

Yes, any data which can identify a living person is personal data.

If you are sending marketing to someone within an organisation using an email address like this, firstname.surname@organisation.com, or contacting a specific individual using a phone number identified with them, then you will be processing personal data and you will therefore need to follow the requirements of GDPR in terms of how you process that data.

What will Brexit mean for GDPR?

Even though the UK is planning to leave the EU, the UK will still need to comply with the GDPR. One reason for this is the cross-over period between the GDPR coming into force and the UK exiting the EU. The UK will need to comply with the Regulation while it is still a part of the EU. Another reason is the extraterritorial reach of the GDPR. UK companies continuing to do business with the EU after Brexit will need to comply with the Regulation to avoid infringements.

How does personal data relate to B2B contacts? Can I contact someone I've swapped business cards with at an event like this and add them to a mailing list?

In order to contact someone and ensure you are being compliant with GDPR, there needs to be a clear statement or clear terms of action, and in a situation whereby someone has handed you their business card it would be a clearly positive action by one person saying to another, “can I get in touch with you?”. There would be no other reason why an individual would give someone a business card, other than if they wanted you to contact them. You will need to record that that person has handed you their business card and has consented to hearing from you so make a note of the action on, for example, your CRM system.

How long does consent last for? Does it need to be included within the "opt-in" wording?

The ICO state there is no set time limit for consent. How long it lasts will depend on the context. You should review and refresh consent as appropriate. However, in the conference Alex stated that if you are sending marketing material that is no longer relevant to the initial reason a data subject gave consent to hear from you (for example, when they consented to hear about summer holiday deals) that consent would have expired and would no longer be compliant. If you are sending communication about a winter holiday, the subject wouldn’t have expected that communication and that’s not what they signed up for. So, when gaining consent, the way in which you are intending to use customer data must be made specific and written in clear and granular wording when it is requested.

Alex said consent can be verbal. How do we evidence verbal consent to meet record keeping requirements?

As Alex stated, verbal consent can be recorded on a CRM system for example, or a spreadsheet even. As long as that information is secure, and cannot be confused with a list being kept of people who do not wish to be contacted, it meets requirements.

How does this effect outbound call centres? Do we need to ask existing contacts for consent when we contact them & is this required each time we speak to them?

To ensure you are GDPR compliant when making live calls, you would need to fulfil the following criteria:

We screen the numbers against the Telephone Preference Service (TPS) (or for corporate subscribers the Corporate Telephone Preference Service (CTPS))

We keep our own do-not-call list of anyone who says they don’t want our calls

We screen against our do-not-call list

We display our number to the person we’re calling

How does GDPR apply to direct mail - can I send marketing material in the post without consent?

As with electronic marketing, if the person or organisation you're targeting asks to be taken off your mailing list, you must comply with their request. There are no exceptions to this rule, and if you fail to comply, they can apply to the courts for an order against you under section 11 of the Data Protection Act.

The Mailing Preference Service (MPS) is a service set up by the direct marketing industry to help people who don't want to receive 'junk mail'. People simply register their details to prevent further mailings, and several direct marketing codes of practice specify that marketers should clean their lists against the MPS file. Many of the companies who subscribe to the MPS recognise the considerable benefits of the service as they save money, time and resources by not sending material to people who don't wish to receive it.

Follow these steps to ensure compliance:

We have screened the names and addresses against the Mail Preference Service

The individuals on the list have at least given a general statement that they are happy to receive marketing from us

Where the individuals haven’t given specific consent, marketing is consistent with context in which the information was provided and concerns a similar product, service or ideal

Can an organisation be a data controller and processor? What is the difference between the two terms?

A controller determines the purposes and means of processing personal data. A processor is responsible for processing personal data on behalf of a controller.

If you are a processor, the GDPR places specific legal obligations on you; for example, you are required to maintain records of personal data and processing activities. You will have legal liability if you are responsible for a breach.

However, if you are a controller, you are not relieved of your obligations where a processor is involved – the GDPR places further obligations on you to ensure your contracts with processors comply with the GDPR.

A data processor usually also has its own data controller responsibilities for personal data which is not being processed on behalf of its data controller client. An IT services firm will have its own data controller responsibilities for its employees’ records or those of its clients Data controllers and data processors and suppliers, but not for the data processing it carries out when it is storing personal data for the bank. An organisation cannot be both data controller and processor for the same data processing activity; it must be one or the other. This means that in order to establish which organisation has data protection responsibility for which data, it is necessary to look at the processing in question, as well as the organisations involved. It is also important that, as far as is practicable, systems and procedures distinguish between the organisation’s ‘own’ data and the data it processes on behalf of the other data controller.

The GDPR only applies to EU residents’ personal data. The GDPR applies to processing carried out by organisations operating within the EU. It also applies to organisations outside the EU that offer goods or services to individuals in the EU.

Do small micro businesses need to be GDPR compliant holding customer data such as address emails bank details?

You’ll have to comply with the GDPR regardless of your size, if you process personal data. To fall within the remit of the GDPR, the processing has to be part of an “enterprise”. Article 4(18) of the Regulation defines this as any legal entity that’s engaged in economic activity.

Do individuals have the right to rectification, erasure or to be forgotten within Healthcare and/or the Criminal Justice System?

The right to erasure does not provide an absolute ‘right to be forgotten’. Individuals have a right to have personal data erased and to prevent processing in specific circumstances:

Where the personal data is no longer necessary in relation to the purpose for which it was originally collected/processed.

When the individual withdraws consent.

When the individual objects to the processing and there is no overriding legitimate interest for continuing the processing.

The personal data was unlawfully processed (ie otherwise in breach of the GDPR).

The personal data has to be erased in order to comply with a legal obligation.

The personal data is processed in relation to the offer of information society services to a child.

Under the GDPR, this right is not limited to processing that causes unwarranted and substantial damage or distress. However, if the processing does cause damage or distress, this is likely to make the case for erasure stronger.

There are some specific circumstances where the right to erasure does not apply and you can refuse to deal with a request.

You can refuse to comply with a request for erasure where the personal data is processed for the following reasons:

To exercise the right of freedom of expression and information;

To comply with a legal obligation for the performance of a public interest task or exercise of official authority. for public health purposes in the public interest;

Archiving purposes in the public interest, scientific research historical research or statistical purposes; or the exercise or defence of legal claims.

If consent can be verbal does that mean we can get opt-in by phone so long as it's backed-up by recording time and date against that individual’s record?

Yes, as long as they’ve given a positive, and informed, indication of wishing to receive that specific contact from your organisation that would be considered adequate consent. Just ensure you record when and whom gave that consent and what they were told, on your CRM system, for example.

What's the best way to ensure outsourced marketing partners are GDPR compliant?

The following is the steps ICO recommend taking to ensure any contracts you have where an organisation on may process the data you control:

Whenever a controller uses a processor it needs to have a written contract in place.

The contract is important so that both parties understand their responsibilities and liabilities.

The GDPR sets out what needs to be included in the contract.

In the future, standard contract clauses may be provided by the European Commission or the ICO, and may form part of certification schemes. However at the moment no standard clauses have been drafted.

Controllers are liable for their compliance with the GDPR and must only appoint processors who can provide ‘sufficient guarantees’ that the requirements of the GDPR will be met and the rights of data subjects protected. In the future, using a processor which adheres to an approved code of conduct or certification scheme may help controllers to satisfy this requirement – though again, no such schemes are currently available.

Processors must only act on the documented instructions of a controller. They will however have some direct responsibilities under the GDPR and may be subject to fines or other sanctions if they don’t comply.

GDPR will not apply to personal data under contractual obligation such as transactional communications. For example, you don’t need specific consent from clients for sending them their invoice.

If we do not use/report the personal data that we hold on employees i.e. Religion/ ethnic background should we delete this data?

The ICO recommend deleting personal information that is irrelevant and excessive.

Is data that’s available on the internet classed as ‘personal data’ such as that freely accessible on Companies House?

Yes, any personal data which distinguishes one living person from another is considered personal data. If you wish to contact them, you will first need to ask them if they consent to receiving information from you about X,Y, or Z and if they specifically request that you do not contact them, you make sure to remove them from your data records and do not contact them again.

Is pseudonymised data impacted by GDPR?

Personal data that has been pseudonymised – eg key-coded – can fall within the scope of the GDPR depending on how difficult it is to attribute the pseudonym to a particular individual.

Do you have to report low risk breaches to the ICO - ie breaches with no sensitive/ little personal data? What is the standard?

Under GDPR, you must report a breach which could lead to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data. This includes breaches that are the result of both accidental and deliberate causes. It also means that a breach is more than just about losing personal data.

When a personal data breach has occurred, you need to establish the likelihood and severity of the resulting risk to people’s rights and freedoms. If it’s likely that there will be a risk then you must notify the ICO; if it’s unlikely then you don’t have to report it. However, if you decide you don’t need to report the breach, you need to be able to justify this decision, so you should document it.

You must also keep a record of any personal data breaches, regardless of whether you are required to notify.

As long as you have ensured the data you are storing on MailChimp, or have given MailChimp to process, has been gathered in compliance with one of the lawful grounds for processing, you have upheld your responsibilities. You just need to ensure you are happy with the T+C’s or contracts you have with any external provider who will be processing the data of which you are controller of.

Online - Is GDPR responsibility that of the company or their web hosts?

Under GDPR there’s a joint responsibility now between data controllers and data processors. So, if your IT provider or plan provider falls into the category of a data processor, which quite often it will, then you have a joint responsibility around that data. As a data controller, the data you have collected and passed onto the processor, is your responsibility. Therefore, it is advisable to assess the contracts that you have in place with those providers and making sure that they are appropriate. For more guidance on Data processers and controllers, please click here: https://ico.org.uk/for-organisations/guide-to-the-general-data-protectio...

What are the 6 grounds for lawful processing under GDPR?

The 6 grounds for lawful processing are:

(a) Consent: the individual has given clear consent for you to process their personal data for a specific purpose.

(b) Contract: the processing is necessary for a contract you have with the individual, or because they have asked you to take specific steps before entering into a contract.

(c) Legal obligation: the processing is necessary for you to comply with the law (not including contractual obligations).

(d) Vital interests: the processing is necessary to protect someone’s life.

(e) Public task: the processing is necessary for you to perform a task in the public interest or for your official functions, and the task or function has a clear basis in law.

(f) Legitimate interests: the processing is necessary for your legitimate interests or the legitimate interests of a third party unless there is a good reason to protect the individual’s personal data which overrides those legitimate interests. (This cannot apply if you are a public authority processing data to perform your official tasks.)

How does GDPR affect outbound call centres? Do we need to ask existing contacts for consent when we contact them & is this required each time we speak to them?

To ensure you are GDPR compliant when making live calls, you would need to fulfil the following criteria:

We screen the numbers against the Telephone Preference Service (TPS) (or for corporate subscribers the Corporate Telephone Preference Service (CTPS))

We keep our own do-not-call list of anyone who says they don’t want our calls

We screen against our do-not-call list

We display our number to the person we’re calling

Do we need to ask consent to pass data through a third party? Ie mailing house, external reviews (like Feefo) even if they opted in to our mailing list?

You need to make it clear when requesting consent, or in your privacy notices, how you will process the subject’s data, which includes any third party who will have access to their data.

Do you need consent to run a ‘re-permission’ campaign?

Any data that has been obtained without consent means you do NOT have permission to re-permission, doing so could mean breaking current DPA and PECR rules. Wetherspoons decided to mitigate this risk by ‘simply’ deleting their entire mailing list to start from scratch as GDPR compliant!

If you’re holding data that was provided to you freely by the subject, but is not compliant to the GDPR, then it is necessary to initiate a re-permission campaign.